Security layer and methods for protecting tenant data in a cloud-mediated computing network

ABSTRACT

A system for protecting data managed in a cloud-computing network from malicious data operations includes an Internet-connected server and software executing on the server from a non-transitory physical medium, the software providing a first function for generating one or more security tokens that validate one or more computing operations to be performed on the data, a second function for generating a hash for each token generated, the hash detailing, in a secure fashion, the operation type or types permitted by the one or more tokens, a third function for brokering two-party signature of the one or more tokens, and a fourth function for dynamically activating the one or more signed tokens for a specific time window required to perform the operations permitted by the token.

CROSS-REFERENCE TO RELATED DOCUMENTS

NA

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention is in the field of distributed computing includingcloud-mediated computing networks and pertains particularly to methodsand apparatus for securing tenant data against malicious operations.

2. Discussion of the State of the Art

A cloud-mediated computing network is a network-accessible distributedcomputing platform used by companies to provide network-based datamanagement solutions for businesses to manage their own data and databelonging to their clients. The distributed computing model isattractive to organizations from startups to large multinationalcorporations that seek computing alternatives that enable them to reducecomputing costs, maintenance overhead, and to gain computing power ondemand.

It is desired that such computing resources provide flawless, secure,and negative latency computational power with little or no downtime.While external security measures instituted on cloud-based computingnetworks are adequate for most personal and industrial uses, tenantsdesire more control over the operations that are performed on theirproprietary and mission critical data. Current controls in place formost cloud-based networks such as process auditing, event logging, andsharing of logs with cloud tenants are not sufficiently secure forlarger institutions that manage critical and highly sensitive data. Towit, larger corporations favor private cloud-networks tailored toaccommodate global needs of large corporate houses confining the cloudtechnology within their corporate backbones.

Providers of public cloud-computing based on models such as theInfrastructure as a Service (IaaS) model have identified a lack of trustof external entities and a fact that tenants currently have little or nocontrol over mission critical data at premises outside the providerorganization's domain perimeter as among key reasons for a sluggishadoption rate for tenants subscribing to cloud-mediated computing.

In current practice, clients must entrust the service provider with allits business intelligence (in the form of data) and computinginfrastructure (in terms of hardware and other supporting operationalsoftware and applications) and expects its data to be preserved,protected, serviced properly, and respected for its value. To be fair,most service providing organizations do have a higher level of securityin place than normal enterprise security regimens. These measures helpaddress key areas of security by satisfying the norms put forth bycurrent security standards. For example, data are encrypted when intransit and while in storage to ensure that it is not intercepted anddecoded.

A challenge to encryption is that it may not be practically applied toextremely large data sets or for certain types of data intenseoperations. One reason for this is that many current databases require anon-encrypted state to render the data searchable for extraction anddistribution operations resulting from database queries. Moreover,adequate monitors are in place to capture and plug identifiedvulnerabilities and to raise appropriate alarms in order to initiateimmediate corrective actions. However, such procedural methods in placewithin most cloud-mediated service networks will not prevent maliciousattacks from happening. They simply provide indication that maliciousactions have occurred and may help with tracing such malicious activityback to its origin and preventing future acts from that source as atemporary solution.

Therefore, what is currently needed in the art is a security layer andmethods that will empower cloud tenants in efforts to control how theirdata is accessed and serviced at the provider's facilities. A solutionsuch as this will offer cloud-computing tenants a higher degree ofconfidence and assurance about the confidentiality, integrity, andsecurity of the services that are consumed.

SUMMARY OF THE INVENTION

The problem stated above is that complete trust is desirable for tenantssubscribing to public or privately offered cloud-mediated computingservices, but many of the conventional means for creating completetrust, such as secure encryption of data and industry-tested firewalls,do not address trust issues relative to some internally-based securitythreats. The inventors therefore considered functional components of acloud-based computing network, looking for elements that exhibitpotential for interoperability that could potentially be harnessed toprovide trust measures that enforce trust of internal operatives but ina manner that would not require significant computational resources orcreate more network latency.

Every cloud-mediated computing network is dependant on trust thattenants place toward the network architecture and service-provideroperators, one by-product of which is an abundance of loyal tenantssubscribing to offered services. All cloud-mediated computing networksemploy data servers and software applications to conduct the permitteddata operations relative to tenants secure data, and data serversexecuting software are typically a part of such apparatus.

The present inventor realized in an inventive moment that if, duringnormal servicing of cloud-mediated data, operations requested on datacould be validated internally and be permitted only for time periodsrequired to perform such operations, significant improvement in securityagainst malicious intent spawned from within the network domain mightresult. The inventor therefore constructed a unique security layer andmethods for protecting tenant data from malicious internal threats thatallowed tenants more control over their data while constrainingoperations on data to those operations that are pre-negotiated betweenthe service provider and the tenant and limiting the life cycle of thoseoperations to operation windows deemed sufficient for performing thoseoperations. A significant improvement in internal security of tenantdata against malicious intent results, with no impediment to operationaltask requirement or network latency created.

Accordingly, in one embodiment of the present invention, a system forprotecting data managed in a cloud-computing network from malicious dataoperations is provided including an Internet-connected server andsoftware executing on the server from a non-transitory physical medium,the software providing a first function for generating one or moresecurity tokens that validate one or more computing operations to beperformed on the data, a second function for generating a hash for eachtoken generated, the hash detailing, in a secure fashion, the operationtype or types permitted by the one or more tokens, a third function forbrokering two-party signature of the one or more tokens, and a fourthfunction for dynamically activating the one or more signed tokens for aspecific time window required to perform the operations permitted by thetoken.

In one embodiment, the cloud-computing network is a public network basedon an Infrastructure as a Service (IaaS) model. In a preferredembodiment, the system is implemented in a virtual machine monitoringlayer. In this embodiment, the system is further integrated into a Dom0kernel. In a preferred embodiment, the available computing operationsattributed to the one or more generated tokens are pre-definedattributes of a parent object, the operations agreed to in a servicelevel agreement (SLA) between a cloud computing tenant and a cloudcomputing service provider.

In one embodiment, the one or more generated tokens are stored in aninactive and signed state until they are required to validate arequested operation. In one embodiment, one or more of the tokens arereusable tokens that are uniquely identified at each instance of use. Inone embodiment, one or more tokens are dynamically generated uponrequest of a cloud service administrator or cloud tenant for performanceof one or more data operations outside of a current SLA. In a variationof this embodiment, the one or more dynamically generated tokens areadded to a token storage space containing the pre-negotiated tokens, theone or more tokens incorporating one or more new operations into the SLAas one or more updates.

In a preferred embodiment, the one or more tokens are signed usingprivately held keys. In one embodiment, the hash of a token is comparedto an embedded hash value to validate the content and operationintegrity of the token before activation for use. In one embodiment, thesystem includes a fifth function for validating one or more tokens foroperation against pre-negotiated list of permitted operations in the SLApolicy governing the provider/tenant relationship.

According to an aspect of the present invention, a method is providedfor securing against internal malicious operations against data storedon a cloud-computing network. The method includes the steps (a)generating one or more security tokens that validate one or morecomputing operations permitted on the data, the operations listed in apre-negotiated service level agreement between a tenant and serviceprovider of the cloud computing network, (b) generating hashes for theone or more security tokens, the hashes validating the integrity of eachtoken relevant to the operation or operations that each token permits,(c) signing the one or more tokens using encryption keys privately heldby the tenant and the service provider, (d) upon request, activating oneor more of the tokens to initiate one or more computing operationspermitted on the data.

In a preferred aspect of the method, the cloud-computing network is apublic/private/hybrid network based on an Infrastructure as a Service(IaaS) model. Also in a preferred aspect, the available computingoperations attributed to the one or more generated tokens arepre-defined attributes of a parent object, the operations agreed to in aservice level agreement (SLA) between a cloud computing tenant and acloud computing service provider. In one aspect, the one or moregenerated tokens are stored in an inactive and signed state until theyare required to validate a requested operation.

According to another aspect of the present invention, a method isprovided for using a token object to authenticate one or more computingoperations requested to be performed on cloud-mediated data. The methodincludes the steps (a) performing a lookup in a secure object databasefor a token object that permits the operation or operations that aresubject of a received request to perform the one or more computingoperations, (b) in the event a relevant token is not found, generatingand sending a system notification, (c) in the event a relevant token isfound, generating a temporary ID for the token, (d) validating theoperational integrity of the token, (e) activating the token for aperiod of time representing a time frame within which the data operationor operations must be completed, and (f) destroying or deactivating andstoring the token after the stated operations are completed.

In one aspect of the method, in step (b), the system notification issent to a tenant interface operated as a control dashboard interface. Ina preferred aspect, in step (d), the operational integrity of the tokenis validated by comparing hash values. In another aspect, in step (f)the deactivated token is reusable for the same operation or operationsit permits.

BRIEF DESCRIPTION OF THE DRAWING FIGURES

FIG. 1 is an architectural overview of a cloud-mediated data networkthat supports secure token authentication for operations performed oncloud data according to an embodiment of the present invention.

FIG. 2 is a block diagram illustrating basic components of software 117of FIG. 1.

FIG. 3 is a block diagram illustrating basic components of software 119of FIG. 1.

FIG. 4 is a block diagram illustrating basic components of software 120of FIG. 1.

FIG. 5 is a process flow chart illustrating steps for generating secureintelligent tokens from a secured policy definition according to anembodiment of the present invention.

FIG. 6 is a process flow chart illustrating steps for validating anoperation performed on cloud data using a secure intelligent tokenaccording to an embodiment of the present invention.

FIG. 7 is a process flow chart illustrating a process fordifferentiating between a transitory token and a reusable token forvalidating an operation performed on cloud data according to anembodiment of the present invention.

DETAILED DESCRIPTION

The inventors provide a system and methods for protecting data managedin a cloud-computing network from malicious data operations that enablescloud tenants better control over what operations can be performed ontheir data, who can perform those operations, and when those operationsare permitted. The present invention will be described in enablingdetail using the following examples, which may describe more than onerelevant embodiment falling within the scope of the present invention.

FIG. 1 is an architectural overview of a cloud-mediated data network 100that supports secure token authentication for operations performed oncloud data according to an embodiment of the present invention. Datanetwork 100 includes a trusted third-party data network 101. Datanetwork 101 may be a corporate wide area network (WAN) or local areanetwork (LAN), or some other secured data network managed by a thirdparty trusted provider of certain security elements related to thepresent invention. More specifically, the trusted third-party may be acompany that provides security-enabled data objects (SEDO), a termcoined by the inventors to describe a token generated from a parent SEDOobject model. Third-party trusted network 101 is not specificallyrequired in order to practice the present invention. In one embodiment,the third party is simply a secure and trusted party that bothcloud-computing tenants and a cloud-computing service provider entitytrusts to generate security tokens, also referred to herein as secureintelligent tokens (SITs).

Data network 100 includes a cloud-computing tenant network 102. Tenantnetwork 102 represents any wired or wireless data network that maysupport access to cloud computing for one or more connected computingappliances. Computing appliances 114 a-d represent cloud-computingclient devices having connection to cloud-based services provided by acloud-computing service providing entity. Data network 100 furtherincludes a provider network 103. Provider network 103 represents anywired and or wirelessly accessible data network secured for provision ofcloud-mitigated computing or “cloud computing” as it is referred to inthe art. In this embodiment, trusted third-party data network 101,tenant network 102, and provider network 103 are interconnected by theInternet network, illustrated herein as Internet network 104.

Internet network 104 includes a network backbone 107. Network backbone107 represents all of the lines, equipment, and access points that makeup the Internet network as a whole, including connected sub-networks.Therefore, there are no geographic limitations to practice of thepresent invention. Internet backbone 107 supports a web server 110. Webserver 110 includes a non-transitory physical medium that contains allof the data and software required to enable function as a web server.Any third-party web hosting service (not illustrated) may host webserver 110. In one embodiment, web server 110 is maintained by theservice provider and may be hosted within the network domain of theservice provider or within network 103 without departing from the spiritand scope of the present invention.

Web server 110 hosts a website 122. The cloud-computingservice-providing entity operating service provider network 103maintains website 122. Website 122 represents an access point forpotential cloud-computing tenants such as those operating computingappliances 114 (a-d). Tenants operating computing appliances 114 (a-d)may access website 122 and register for cloud-computing services offeredby the service providing entity through provider network 103. In oneembodiment, web sever 110 includes a proxy server that provides proxyservice access to cloud-computing services offered through providernetwork 103. Such tenants as part of negotiating cloud services, mayagree upon and sign a service level agreement (SLA). The SLA defines allservice provisions, service levels, and details what specific dataoperations are permitted to be performed on tenant cloud data and whomay perform those operations.

Tenants operating computing appliances 114 (a-d) may connect to website122 on web server 110 and may access and download a client application121. Client application 121, illustrated on computing appliance 114 (d),may include a client interface application or “dashboard” controlinterface. Such an interface may reside on and be executed from acomputing appliance to enable active network interface with cloud-basedservices offered through provider network 103. Tenants may control andmanage many aspects of the cloud-computing services through clientapplication 121 including but not limited to authorizing special ad-hoccloud-computing requests received from cloud tenants. In anotherembodiment, application 121 may reside on web server 110 or on anothermachine accessible over the network. Computing appliances 114 (a-d) maybe desktop, laptop, or notebook computing appliances, android devices,smart phones, iPAD devices, or any computing appliance capable ofInternet connection, navigation, and networking.

Provider network 103 includes a network backbone 106. Network backbone106 represents all of the lines, equipment, and access points that makeup provider network 103. Provider network 103 may be any corporate orprivate network that has connection to Internet network 104 throughwhich provider services may be made available to the public at large. Inthis embodiment, provider network backbone 106 supports a data server111. Server 111 includes a non-transitory medium containing all of thedata and software required to enable function as a data server. Dataserver 111 provides access to cloud-computing resources for tenantsoperating appliances 114 (a-d). Server 111 may be accessed throughapplication 121 in one embodiment. In one embodiment tenants areconnected to a proxy server, which in turn provides connection to server111.

A policy manager 120 is provided and illustrated in this example asresiding on server 111. Policy manager 120 is a software applicationthat manages SLA derived policy used to govern cloud-computing servicestenant by tenant. In a preferred embodiment, cloud-computing tenantssuch as an organization, small business, or user group have a specificpolicy tailored to their cloud-computing needs. In one embodiment, aformalized SLA representing a service agreement between a tenant and aservice provider is forwarded to a trusted third party like oneoperating through third-party network 101 so that information relativeto service provision can be used to aid in the generation of secureintelligent tokens, also referred to herein as simply tokens. Secureencrypted policies may be generated based on SLA input and forwardedback to the service provider network for secure storage and maintenance.

Data server 111 includes a security enabled data object (SEDO) managerapplication 119. Application 119 provides one or more methods for usingSITs to enable cloud-computing operations of tenant data according topolicy-driven rules and constraints. SEDO manager 119 manages storageand access of secure intelligent tokens specifically designed to enablesecure permissions for performing specific data operations on cloud dataowned by tenants. Token management includes token storage, token access,and token validation processes. All of the data operations permitted oncloud data are defined by tokens generated for tenants based on SLApolicy and rules. In this example, tokens are generated for use by athird party that is trusted by both the tenant and the service provider.Tokens may or may not be encrypted when stored for latter use. One tokenmay define one or more data operations that may be performed under theSLA agreement and governed by a formalized secure policy definition. Toprevent latency, tokens associated with all VM instances running on aparticular node are stored locally.

Data server 111 has connection to cloud-computing resources 114 (clouddata/storage/hardware). Resources 114 include all of the hardware,software, and data storage facilities to enable a cloud-computing islandor network. Resources 114 typically include numerous computing processorunits (CPUs) and machines represented in a physical hardware layer, andvirtual operating systems represented in a hypervisor layer analogous toa virtual machine layer. Provider network backbone 106 supports anetwork-connected computing appliance 116. Computing appliance 116represents a terminal used by administration or the like to maintain andadminister cloud services. In one embodiment, administrator 116 hasdirect access or access through an interface to a cloud-computingconsole (not illustrated) enabling an authorized administrator toperform administrative tasks and to submit operation requests to thesystem for performing operations on cloud-hosted data. In oneembodiment, the cloud-computing network 103 is a public network based onan infrastructure as a service (IaaS) cloud-computing model. In otherembodiments, aspects of the present invention may be practiced onprivate cloud-computing networks, or on hybrid networks withoutdeparting from the spirit and scope of the present invention. IaaS isthe base model for platform as a service (PaaS) and for software as aservice (SaaS).

In one embodiment of the present invention, token generation andintermediary post-generation management is performed by a trusted thirdparty operating through network 101. However, it will be apparent to onewith skill in the art that all of the software applications enablingfunctions of the invention may reside on and be executed from one serverconnected to the network or many servers connected to the Internetwithout departing from the spirit and scope of the present invention.Separation of software instances or components in this example is meantonly to illustrate the separate domains of a service provider, acloud-computing guest or tenant, and a third-party service providingactual token generation based on SLA provisions. In all embodiments, atleast the SEDO management application 119 has components, which aretightly integrated within the cloud-computing hypervisor layer thatbrokers communication of operation requests to the cloud computingnetworks physical layer (114). More detail about software integrationwith cloud-components is described later in this specification.

Third-party network backbone 108 supports a data server 109. Data server109 includes a non-transitory physical medium that contains all of thedata and software required to enable function as a data server. Server109 includes a software (SW) token generator 117. In one embodiment, SW117 is adapted to accept formalized SLA data contained in an SLAagreement as data input in order to generate a machine-readable policydefinition that outlines the particulars of data operations that areidentified in the agreement and allowed according to policy of theagreement. Token generator 117 generates security enabled data objects(SEDOs), also referred to as tokens that provide secure access andpermissions for the service provider to perform operations on the clouddata owned by that tenant covered under the policy.

Server 109 also hosts a token manager 118. Token manager 118 may provideencryption for generated tokens in one embodiment. Token manager 118 maybroker tenant and provider signature of generated tokens, and mayforward generated tokens for each tenant to a secure token storagefacility (not illustrated) maintained by the service provider. In oneembodiment, the policy definition governing all of the operationsdefined in the tokens is encrypted and sent to the service provider forsecure storage with the tokens for each tenant. Server 109 includes amass storage repository 112 that contains all of the records of eventsperformed by the trusted third-party charged with token generation andencryption services. Backbone 108 supports an administration terminal115 that represents a computing appliance used by an administrator toprovide administration, routine maintenance, and other tasks relative tothe third-party components in place for token generation and management.

In practice of the invention, a tenant such as one operating one or moreof computing appliances 114 (a-d) connects to website 122 and registersfor cloud-computing services. In the process, the tenant and serviceprovider will form and agree to an SLA defining the scope of servicesoffered and detailing all of the permitted operations that may beperformed relative to the tenant's cloud data. The formalized (signed)SLA may then be forwarded to the trusted third-party service forgeneration of a machine-readable policy definition that governspermitted use for each token generated under the policy. All of thetokens required to define and permit each allowable data operationpermitted under the policy are generated from a parent object model. Thegenerated tokens are child instances of that model. In one embodiment,tokens are signed but not encrypted. In another embodiment, allgenerated tokens are encrypted at the third-party service. The tokenmanager brokers signature of each generated token. Both the tenant andthe service provider sign tokens using private keys. The token managerforwards the generated tokens and policies governing them to the serviceprovider for secure storage.

In practice of the invention, the service provider services requests foroperations on cloud data by looking in the policy and token store forthe specific token and policy that permits the request. If the signedtoken exists and is permitted under the policy, the service providerextracts the token and queues it for processing. During processing, thetoken may be validated against possible tampering or file corruptionthrough comparing hash values generated from the token's operationdescription to a pre-generated hash value embedded in the token data atthe time it was generated. A token may be assigned an identificationnumber for an active state. A time to live (TTL) may be pre-determinedand activated for the token when the token is used. The TTL forces theoperation(s) permitted by the token to be performed within the TTLwindow and the token becomes inactive or benign at the end of the TTLpreventing further operation performance on the data.

In one embodiment a token is generated from an ad-hoc request for a dataoperation or operations that were not permitted in the original policyand for which no reusable tokens exist. Such tokens may be generated ifboth the service provider and tenant agree to permit the new dataoperation(s). In this embodiment, the token is generated, signed, andused in the same manner as pre-generated tokens. The tenant may electfor the newly generated token to become a reusable token if it is deemedthat the operation(s) should become part of regular policy. In thiscase, the policy is modified to reflect the new data operation(s) thatwill be permitted regularly in the future. There may also be operationson data permitted by reusable tokens that the tenant desires to deleteor eliminate from the policy. In this case, if both parties agree,tokens may be scraped eliminating certain operations from beingperformed on tenant data.

SEDO manager 119 is integrated with the hypervisor layer of the cloudcomputing platform and certain components are integrated into theoperating system kernel to enable token-permitted operations. Inempirical testing, the system of the invention is implemented on XEN asthe Hypervisor or virtual machine layer and Ubuntu, a modified LinuxKernel representing Domain 0. The integration is required from acommunications perspective where requests are trapped or queued forprocessing at the kernel and passed on to a hypervisor communicationsagent for implementation of the operations with respect to the physicalhardware layer. In all embodiments, tenants receive alerts ornotifications to their client dashboard application interfaces wheneverrequests do not match permitted operations or if any unauthorizedrequests are received. Token operation tampering, policy tampering, ormalicious reordering of token operations or time constraints from withinthe service provider's network are revealed during policy check and hashcomparison.

Tenant network backbone 105 supports a mass repository containing logsthat contain all events having occurred with respect to cloud datamanagement and operations. In this example, tenants 114 (a-d) are partof an organization or group sharing tenant network 102. However, atenant may represent a single entity operating one computing appliancewithout departing from the spirit and scope of the present invention. Inone embodiment, components illustrated in trusted third-party network101, may instead be implemented on client servers or computingappliances as part of the client application thereby eliminating anythird-party dependencies. In one embodiment, tenants may vest differentlevels of trust on the service provider and may therefore instillvarying degrees of security constraints to be imparted to their virtualinstances. Tenants who trust the service provider the most would requirethe lowest degree of security where as tenants who want to hostmission-critical data would put a least amount of trust on the serviceprovider and therefore require higher levels of security. The tokensecurity regimen of the invention has the flexibility to enforcesecurity on demand and according to varying trust models subscribed toby tenants.

FIG. 2 is a block diagram illustrating basic components of software 117of FIG. 1. SW 117 is hosted by a third-party trusted by both tenants andthe service provider to provide token generation, encryption (ifapplicable), and secure policy generation. The trusted third party isseparated from the service provider by a secure firewall insuring thatthe service provider plays no role in token generation or in the initialphases of post generation token management.

SW 117 is referred to as a token generator in this example. Tokengeneration software 117 is also termed a SEDO access control manager(SACM). SW 117 takes a formalized SLA between a tenant and the serviceprovider as input to generate tokens for a tenant. The service providermay send a digital copy of an SLA held in policy store 207 to thetrusted third party for evaluation. A policy reader 201 automaticallyparses the SLA in this example. In one embodiment, SLAs may also bereviewed by a knowledge worker or authorized administrator. Policyreader 201 isolates all of the data operations that are permitted in thepolicy along with all of the rules and constraints governing eachoperation.

To generate a token, SW 117 begins with a parent object 202. Parentobject 202 is termed a client security enabled data object component(CSEDOC) by the inventor. The parent object is an object model thatincludes all of the possible service attributes and methods includingdata operations, rules, constraints, and security levels that theservice provider includes in its service to cloud tenants. Tokens aregenerated from parent model 202 according to SLA interpretation bypolicy reader 201. In this example tokens 203 (1-n) are child instancesof parent object 201.

SW 118, termed a token manager, manages tokens generated by SW 117 interms of immediate post generation tasks. Token manager 118 isresponsible for encrypting tokens (if applicable) and for generating andencrypting (if applicable) a hash value for each generated token andthen embedding the hash within the token data. During use, the hashvalues embedded within each token are compared to rehashed valuesgenerated within the DOM 0 kernel during token activation to validatethe integrity of the token, more particularly that the token has notbeen tampered with by the trusted third party or by the service providerduring inactive storage or in transit. In this example, the hash isgenerated from the operation description or content description of thetoken.

In one embodiment, mapping of tokens and token attributes to policyattributes are contained in an extensible markup language (XML) file. Aunique session identification (SID) may be generated each time a tokenis used to complete operations relative to a new request by the serviceprovider or by the tenant. SID assignment may be performed at thelocation or domain of the service provider. In one embodiment, tokengenerator SW 117 provides a summary machine-readable version (policydefinition) of the formalized SLA policy that may be stored along withor separately from the generated tokens for each tenant. The policy maybe used as a reference map when accessing tokens for use. For example,if a request comes into the system that requires a token forpermissions, the service provider may access the service policy todetermine if a token exists for the request. The policy definitionverifies whether the requested token operations are permitted and if atoken was generated and is available in storage and that is valid foruse in enabling performance of those operations.

In this example, the generated tokens are reusable tokens that areincorporated with a TTL clock. The TTL clock is activated during use ofthe token by the service provider. The token only permits its statedoperation(s) during the active TTL state of the token. When the TTLexpires, the operation(s) authorized by the token should be completelyperformed. The token is deactivated when the TTL expires and anyoperations running during this period must be forced to complete or shutdown before the expiration point in time. In a preferred embodiment,token management SW 118 brokers tenant and service provider signing ofeach generated token verifying that both recognize the validity of eachgenerated token to be used to permit specified data operations. Tokenare signed using private keys, one for the tenant and another for theservice provider. Generated tokens with signatures are sent to theservice provider in encrypted or non-encrypted format and stored in atoken store 206 maintained by the service provider.

In one embodiment, SW 117 may be incorporated in the generation oftokens for use with ad-hoc requests representing requests for performingone or more operations on data wherein those specific operations werenot included in the formalized SLA. In this case, the tenant may havesome control over whether the ad-hoc tokens will be made reusable orslated for destruction after one-time use. In a third-party example, thetenant is also separated from the trusted third-party by a firewall.

FIG. 3 is a block diagram illustrating basic components of software 119of FIG. 1. SW 119 is termed a SEDO manager and is an active tokenmanagement component that provides at least one method for initiating atleast one operation on cloud data based on leveraging a token to gainpermission for performing the operation(s). When a request to perform anoperation arrives at the system on the provider network, the provideraccesses the machine-readable policy of the tenant subject to therequest to determine if there are any tokens stored in the token/policystore that permit the operation(s) defined in the request. If a tokenexists, the service provider may access the token from the token store206 and may assign a SID for that token. The token may be moved toactive token store 301 representing a queue of sorts for tokens that areactive and ready for processing.

Active tokens are extracted from active token store 301 for furtherprocessing and implementation. In this example, the generated token andrequest is sent to a token revalidation engine 302. Token revalidationengine 302 generates a hash value from the description of tokenoperation(s) and compares the value with the embedded hash generated bythe third-party token generator module. This process insures that thetoken was not altered or otherwise tampered with before implementationto permit one or more data operations defined by the token. If the tokenrevalidation engine does not get a match of the hash values, it maycause an alert to be sent to the tenant via an alert mechanism 304.Token validation is performed in the DOM 0 kernel.

The alert sent to a tenant may be sent directly, or through proxyservice, to the tenant's alert or notification section in the tenant'sclient dashboard application. SW 119 includes a token reader 303 thatparses the data operation(s), and any constraints associated with theoperation. For example, one constraint might be a level of encryption tobe performed on cloud-computing data associated with a tenant's level oftrust of the service provider for that operation(s). If the hash valuesmatch and all other parameters are correct for a token, the token readermay pass the token along to a hypervisor communication agent 305.Hypervisor component 305 communicates the operation(s) requested anddefined in the token to the physical hardware layer through thehypervisor layer of the cloud-computing platform.

In order to implement the above concept in empirical testing, thefollowing development bed has been prepared and the specification usesXEN Hypervisor v4.0.1 (neXt gENeration Virtualization), Dom0 running onUbuntu, which is a modified Linux Kernel v2.6.32.45-pv, and CloudPlatform XCP 1.0 (XEN Cloud Platform). The inventors selected XENhypervisor because it is one of most widely accepted and used opensource hypervisor layers. It is the fastest and most secureinfrastructure virtualization solution available today supporting a widerange of operating systems and various versions of Berkeley SoftwareDistribution (BSD) operating systems. An important consideration is thatthe source code is available for it to be modified to incorporate thisnew secure software layer of the present invention. The SEDO layerinterprets all requests before the requests reach the hypervisor layerfor execution.

Tokens are extracted from a secure token store, unwrapped and validatedbefore the rules and operations embedded in the token are applied. Oncevalidated and authorized by the SEDO layer the control is passed back tothe hypervisor layer for execution. In one embodiment, tokens are storedin a non-encrypted state but are signed by both tenant and serviceprovider. In another embodiment tokens are stored in an encrypted state.In one embodiment two or more encryption levels are available for thetenant to select from regarding encryption of data in general includingtoken encryption and policy definition encryption.

FIG. 4 is a block diagram illustrating basic components of software 120of FIG. 1. SW 120 is termed a SEDO policy management module by theinventors. SW 120 ensures that requests received from the cloud providerare crosschecked against agreed policies. If the policy supporting therequest exists then the policy manager uses a token mapping table toextract the appropriate token and passes it to the kernel for furtherprocessing.

In this example, tenant and provider requests arrive to a request queue401. When a next request is processed, the SLA policy store 207 may bepinged to access the policy covering the request on behalf of thetenant's data. If no policy exists that supports the request, the cloudtenant is immediately notified through the alert dashboard in the clientapplication (121). A decision module 402 may be provided that functionsto connect policy with a token. For example, if policy review determinesthe request is permitted, a token mapping table may be accessed toretrieve the appropriate token from token store 206. If the request isnot supported by the existing policy for that tenant and request, thenthe tenant may be provided an opportunity to approve the request(provider request).

If the request is a tenant request that is not currently supported bypolicy, the tenant may be given the opportunity to have the operationssubject of the request performed as an ad-hoc or one time request. Inboth cases, a new token may be generated and approved by the tenant thatmay be used to authorize and enable performance of the operationssubject of the request. Decision module 402 is responsible forascertaining the states of the request and formulating certain tasksincluding tenant notification and new token generation (if needed).

When the provider or the tenant submits a request, the request ischecked against the policy store 207. If the request is supported bypre-agreed policy as determined by decision module 402, then thecorresponding token (SIT) is extracted from token store 206. If therequest is not supported an alert is sent to the alert section in theclient dashboard application (121). The tenant may then make a decisionwhether to approve the providers current requested action on thetenant's data. If the tenant approves the request from the serviceprovider then the corresponding token (SIT) is generated by the tokengenerator module (117) and passed onto the policy management module(120). The request, in this case, may be approved as a repeatableoperation or set of operations calling for a reusable token that isgenerated and deposited in the token store. If the request is just an adhoc request then the generated token is not stored in the token store.

A token generated for an ad hoc request may have a flag set for it usinga flag directory 403 listing tokens generated for ad hoc requests. Asnew tokens that are not reusable arrive to be acted on, a flag is dumpedonto flag directory 403. This directory is pinged constantly by aprocess watcher or monitor 404 which will then insert the token into anactive token store 301 located at the providers domain within the SEDOmanager component 119. An update module 405 is provided for introducingthe new token into the active token store. The SEDO manager component inthe provider domain revalidates the token by regenerating the hash valuefor comparison to the hash embedded within the token when the token wasgenerated.

The SEDO manager passes the token to the SEDO-hypervisor communicationagent who in turn performs the operations of the request. Anotherprocess monitor (not illustrated) provided within the hypervisorcommunication agent tracks the TTL of the token and the results of theactions performed on the cloud data. When a token is released from theactive token store, its internal timer (TTL) will start automatically.The token will self-destruct (ad hoc token only) when the TTL windowencoded within the token has expired. In this way, a token cannot bereused after the intended operation(s) are accomplished. In the case ofa reusable token, the token becomes benign at the end of the TTL andcannot be reused unless reactivated through another request. A newsession identification (SID) is associated with each token activated topermit a data operation or operations. The TTL parameters for a tokengive the system enough time to perform the stated operations but notenough time to be reused for the same operations.

FIG. 5 is a process flow chart 500 illustrating steps for generatingsecure intelligent tokens from a secured policy definition according toan embodiment of the present invention. At step 501, a cloud computingtenant and a service provider of cloud computing services reach aservice level agreement (SLA). The SLA contains detailed descriptions ofall of the operations, rules and constraints that govern serviceprovision and tenant consumption of services. At step 502, the SLA issent to a trusted third-party operator for interpretation and generationof a machine-readable policy definition summarizing or listing thepermitted operations, policy rules, and constraints associated withthose operations. Policy definition at step 502 may include constraintsor rules that govern what operations may be performed on the tenantdata, who may perform those operations, and when and how thoseoperations may be performed. The policy definition may also list all ofthe tokens that will be generated for permitting the listed operations.

The policy definition generated at step 502 from SLA input received atstep 501 is encrypted and stored for later access at step 503. At step504, tokens are generated to enable initiation and performance ofindividual operations or sets of operations defined in the policydefinition generated and stored at step 503. The generated token(s) mayreside in the same data store as the policy definitions in oneembodiment. In one embodiment, when a request is raised, the policydefinition is accessed in order to first validate that the requestedoperations are permitted on tenant data under the policy, and to locatethe correct tokens associated with the policy for performing thoseoperations. Tokens are generated based on a parent object model thatcontains all of the permitted operations, permissible data states,permissible locations of data residency, rules, constraints, and otherlike attributes. All tokens inherit their operational attributes fromthe parent object model.

At step 505, the tokens are hashed relative to their description and/orcontent attributes. The hash values generated are unique for each tokenand are embedded in the token data for later validation purposes. Atstep 506, the service provider and the tenant sign the tokens usingprivate keys provided to or otherwise secured by them at step 506.Generated tokens are stored in a token storage at step 507 for latteruse in authenticating data operations performed on tenant cloud data. Inone embodiment, a trusted third-party operator protected by securefirewall from provider or tenant access performs steps 502 through 507.In one embodiment, process 500 further includes a step before step 507for embedding a TTL clock into the token. In this case, the TTL governsthe time of life of the token during active state (the token beingleveraged to authenticate data operations).

TTL is the time allotted for performing the operation(s) relative to atoken. Therefore for any token, the TTL shall be sufficient to performthe operations permitted by the token but not great enough to repeatsuch operations. Thus, a token may only be active during performance ofthe cloud-data operations allowed by the token and supported by policy.In this exemplary process, it is determined that the tokens are reusabletokens generated from pre-agreed policy and not tokens generated on thefly as a result of an ad hoc request approved by the tenant andprovider. The token store and the policy store may be co-located on thesame repository without departing from the spirit and scope of thepresent invention.

FIG. 6 is a process flow chart 600 illustrating steps for validating anoperation performed on cloud data using a secure intelligent tokenaccording to an embodiment of the present invention. At step 601, thesystem receives a request submitted by a service provider ofcloud-computing services to perform one or more data operations ontenant data stored on the cloud. The system checks a policy storecontaining machine-readable policy definitions to access the policydefinition covering all of the permitted operations and constraintsassociated with operations performed on the tenant's data.

At step 603, the system determines whether the policy definition permitsthe operation or operations that are subject of the received request. Ifthe system determines that the operations are permitted under the policydefinition at step 603, the system finds and accesses the required tokenor tokens covering the operation(s). The system may access a table thatlists the pre-signed token or tokens that permit the operations. Thesystem may then validate the tokens integrity and operations at step607. The system may generate a hash value from token description that iscompared with an embedded hash value generated from the same data at thetime that the token was created from a parent object.

At step 609, the system determines if the token is valid (has not beentampered with). If it is determined at step 609 that the token is valid,then the system may assign a time stamp to the token or TTL parameterthat governs the time frame within which the operation(s) described bythe token(s) must be initiated and completed. A single token mayencapsulate one or more data operations. Moreover, more than one tokenmay be accessed and activated for a tenant from a single request withoutdeparting from the spirit and scope of the present invention. In oneembodiment, a TTL for a token is created and made part of the token(embedded) at the time of token creation.

The system may queue the operation request and accompanying token(s) forprocessing at step 613. Tokens may be deposited for processing in anactive token store. Flags may be set for each queued token to define theoperating state of each token. A process watcher or monitor may pass thetoken(s) onto the hypervisor layer for initiation and performance of thepermitted operations at step 614. At step 615, the system may update anevent log for the tenant and notify the tenant of the current state ofoperations and when those operations are completed.

If at step 603, the system determines that the request is not supportedby the existing policy definition, the system may immediately alert thetenant by sending a message or notification to the tenant at step 604.Such a notification will convey to the tenant that the policy definitiondid not support the operation(s) subject of the request received in step601. At step 606, the system may request permission from the tenant toperform the data operations that were not permitted under the policydefinition. At step 608, the tenant makes a decision whether toauthorize the operations or not to authorize those operations.

If the tenant determines not to authorize the service provider'srequest, the process may terminate at step 615 for that request. Theevent is logged at the tenant and the tenant is notified that therequest was formally denied. The service provider may also record theevent. If the tenant authorizes the operation(s) at step 608, one ormore tokens may be generated at step 610 that cover the operationsrequested. The requested operations must be included in the attributesof a parent SEDO object for normal token generation. At step 612, thetoken(s) are hashed, signed by both parties, and queued for service atstep 612. This process is similar to the process for pre-generatingtokens except that the new tokens are not stored as reusable tokensunless the tenant requests the new operations as part of the regularcloud network service model and the policy definition is updated toreflect the new operation permissions.

The process may then move to step 611 wherein the tokens are assigned aTTL to constrain the operation(s) to be performed within the specifiedtime frame. This process is performed by the token generator in oneembodiment. All of the suggested time frames may be detailed in theparent object as attributes to covered data operations. Time frames fortokens containing multiple data operations may have more than one TTL,for example, a TTL for each operation to be performed. TTLs for specificoperations may be summed to cover a set of operations to be performedleveraging one token. The process then moves to step 613 where the newtoken(s) are queued for processing. At step 614 the operations definedwithin the token are performed and at step 615, the process ends forthat request with logs updated and notification of completion andresults of the operation forwarded to the tenant.

If at step 609, the token(s) could not be validated by comparing hashvalues, it may be an indication that the request is from an unauthorizedentity or that the original token was tampered with or was corrupted insome way. In this case a notification is immediately sent to the tenantat step 604. The tenant may or may not be presented an opportunity topermit the operations on the fly as evidence of tampering or falserequest may lead to an increase in security protocols used to preventsuch malicious intent. The important aspect is that no data operationsare permitted unless they are covered by policy definition andpre-agreed to (existing valid token), or agreed to on the fly with fullgeneration of one or more new tokens to permit those operations withinthe allotted time windows.

FIG. 7 is a process flow chart 700 illustrating a process fordifferentiating between a transitory token and a reusable token forvalidating an operation performed on cloud data according to anembodiment of the present invention. In this process, it is assumed thata request was received for which no existing token was found and thatthe tenant approved generation of one or more new tokens to handle therequest.

In this case, the system may determine at step 701 if the new token(s)is generated from an ad hoc request. An ad hoc request defines a requestthat specifies one or more data operations to be performed on demand orone time. An ad hoc request may be submitted by the tenant or by theservice provider. If the system determines at step 701 that the token(s)is from an ad hoc request, the system may set a flag associated with thetoken for a state of a transitory token at step 703. A transitory tokenis one that is used once and destroyed after use and is not reusable forfuture data operations.

The transitory token may then be stored or queued for use at step 704.At step 705, the system may access the token(s) in order to perform thedata operations specified in the token(s). The system may generate ahash value for the transitory token at step 706, and then it may comparethat value at step 707 with the embedded hash value generated when thetoken was created. At step 708, the system determines if the newtoken(s) is valid. In one embodiment, tokens generated on the fly forone time use may not be required to contain a hash for comparison asthere may be a much lower risk of tampering with a transitory tokencompared to one that is reusable and stored in an inactive state.However, in one embodiment all tokens must contain an embedded hashvalue when they are created from the parent object regardless of thetype of token being reusable or transitory.

At step 708, the system determines if the newly generated token is validor not according to the results of hash generation and comparison insteps 706 and 707. If the system determines that the token(s) is validat step 708, then the system performs the stated operations of the tokenon the tenant's cloud data at step 709. If at step 701, the tenant hasmarked the token as a reusable token, then a flag may be set for thetoken identifying the newly generated token(s) as reusable. The processthen resumes through steps 704 through 708 as previously described for atransitory token(s).

In any case, at step 708, if it is determined that the token(s) are notvalid through hash comparison, then the tenant is immediately alerted atstep 712. The process may then end for the request with logging of theevents performed at step 711. If the system determines that the token(s)are valid at step 708, the system moves to perform the valid dataoperations at step 709. After the operations are performed the token(s)may be discarded or stored at step 710 according to the determinationmade at step 701. The system may then log results at step 711 and notifythe tenant of the completed operation(s) at step 712.

It will be apparent to one with skill in the art that implementing themethods and apparatus of the present invention may avert typical threatsthat may occur in a cloud-computing network. For example, manygovernment and corporate security policies insist in the practice ofresource sharing with certain trusted parties of the network. It ispossible that these bodies may mismanage the co-existence of virtualmachine (VM) instances per the SLA so that non-trusted cloud tenantsshare the same resources used by the government and large corporatebodies.

All trusted parties are identified in the generated policy definitionand only those trusted cloud tenants are allowed to share the underlyingresources allocated to computing of government or corporate data. Theunderlying control and management platform along with the policymanagement module in the hypervisor kernel checks the policy definitionand will ensure that the government or corporate VM instances arelaunched along with previously agreed trusted cloud tenants only. If anattempt is made to violate this rule while launching VMs, the token willblock such moves because they are not specified in the token operations.The system immediately alerts the cloud consumer of such attempts thatfail because they were not permitted by the token content.

In another exemplary use case, a tenant may have entrusted the serviceprovider to do a daily back up of tenant data at a predefined time.There exists a possibility that the administrator may take an entireduplicate copy of the tenant's data and sell it to a competitor or forother malicious reasons. In order to prevent this malicious intent, thetoken defining the backup operation defines the time of day forperforming the operation and the TTL specifies the time needed toperform the backup. The token can be configured to deliver logs thatcarry varying levels of detail depending on the critical nature of theprocess that is being initiated. This way the token will ensure that thebackup operation is done once on the tenant's data at the required timeand within the defined time frame of the TTL. Further attributes may beinherited by the token as per the service level agreement that specifiesthe intended source database or server hosting the data that requiresbackup and the destination device, network, or machine to accept thebacked up data. Without a token the service provider administrator isnot able to perform any actions that are not specified as permittedunder the SLA. Every time such requests are raised the proposedoperations are checked against the policy store to ensure that therequested action is legitimate and is as per the prearrangement agreedat the time of SLA sign off.

It will be apparent to one with skill in the art that the token securitysystem and methods of the invention may be provided using some or all ofthe mentioned features and components without departing from the spiritand scope of the present invention. It will also be apparent to theskilled artisan that the embodiments described above are specificexamples of a single broader invention that may have greater scope thanany of the singular descriptions taught. There may be many alterationsmade in the descriptions without departing from the spirit and scope ofthe present invention.

What is claimed is:
 1. A system for protecting data managed in acloud-computing network from malicious data operations comprising: anInternet-connected server hosted by a service provider providing thecloud-computing network; an Internet-connected computer applianceoperated by a tenant of the cloud-computing network; a third partygenerating security tokens that both the tenant and the service providertrusts to generate security tokens; and software executing on the serverfrom a non-transitory physical medium, the software: providing a controlinterface enabling a tenant access to and control over data owned by thetenant and cloud-computing services; generating a policy definitionaccording to a service level agreement (SLA) for the tenant, whereinsecurity tokens are generated to enable initiation and performance ofindividual operations or sets of operations defined in the policydefinition; ordering or accessing from a token store one or moresecurity tokens, the tokens generated at least from the SLA for thetenant, having stored data including defining the scope of servicesoffered, detailing all permitted operations that may be performedrelative to the tenant's data and identifying who may perform theoperations that validate one or more sets of computing operationsdefined in the policy definition to be performed on the data owned bythe tenant; generating a hash for each token generated, the hashdetailing, in a secure fashion, the computing operation type or typesembedded in the one or more tokens; brokering two-party signature of theone or more tokens, wherein the tenant and service provider sign the oneor more tokens; and dynamically activating the one or more signed tokensfor a specific time window, the time window selected based upon timerequired to perform the operations permitted by the token, theoperations prevented with expiration of the time window; wherein thetenant receives an alert at the control interface wherein anunauthorized request for one or more data specific operations on thetenant data is received outside of the policy definition in accordanceto the SLA, and the tenant interacts with the control interface to denythe request or approve the request to perform one or more specificoperations on the tenant data by at least generating one or more newsecurity tokens enabling performance of the request, thereby modifyingthe policy definition in accordance to the SLA to reflect the dataoperations related to the request stored in the SLA.
 2. The system ofclaim 1, wherein the cloud-computing network is a public network basedon an Infrastructure as a Service (laaS) model.
 3. The system of claim1, implemented in a virtual machine monitoring layer.
 4. The system ofclaim 3, further integrated into a Dom0 system kernel.
 5. The system ofclaim 1, wherein the available computing operations attributed to theone or more generated tokens are pre-defined attributes of a parentobject model, the operations agreed to in the service level agreement(SLA) between the cloud computing tenant and the cloud computing serviceprovider.
 6. The system of claim 1, wherein the one or more generatedtokens are stored in an inactive and signed state until they arerequired to validate a requested operation.
 7. The system of claim 1,wherein one or more of the tokens are reusable tokens that are uniquelyidentified at each instance of use.
 8. The system of claim 1, whereinthe one or more dynamically generated new security tokens are added tothe token store containing the pre-negotiated tokens, the one or moretokens incorporating one or more new operations into the SLA as one ormore modifications.
 9. The system of claim 1, wherein the one or moretokens are signed using privately held keys.
 10. The system of claim 1,wherein the hash for each token is compared to an embedded value of thehash to validate the content and operation integrity of the token beforeactivation for use.
 11. The system of claim 1 further including afunction for validating one or more tokens for operation against apre-negotiated list of permitted operations in the SLA policy governingthe provider/tenant relationship.
 12. A method, provided by softwareexecuting from an Internet-connected computerized server, for securingagainst internal malicious operations against data stored on acloud-computing network comprising the steps: providing a controlinterface enabling a tenant access to and control over data owned by thetenant and cloud-computing services; generating a policy definitionaccording to a service level agreement (SLA) for the tenant, whereinsecurity tokens are generated to enable initiation and performance ofindividual operations or sets of operations defined in the policydefinition; ordering or accessing from a token store one or moresecurity tokens, the tokens generated at least from the SLA for thetenant, having stored data including defining the scope of servicesoffered, detailing all permitted operations that may be performedrelative to the tenant's data and identifying who may perform theoperations that validate one or more sets of computing operationsdefined in the policy definition to be performed on the data owned bythe tenant; generating a hash for each token generated, the hashdetailing, in a secure fashion, the computing operation type or typesembedded in the one or more tokens; brokering two-party signature of theone or more tokens, wherein the tenant and service provider sign the oneor more tokens; and dynamically activating the one or more signed tokensfor a specific time window, the time window selected based upon timerequired to perform the operations permitted by the token, theoperations prevented with expiration of the time window; wherein thetenant receives an alert at the control interface wherein anunauthorized request for one or more data specific operations on thetenant data is received outside of the policy definition in accordanceto the SLA, and the tenant interacts with the control interface to denythe request or approve the request to perform one or more specificoperations on the tenant data by at least generating one or more newsecurity tokens enabling performance of the request, thereby modifyingthe policy definition in accordance to the SLA to reflect the dataoperations related to the request stored in the SLA.
 13. The method ofclaim 12, wherein the cloud-computing network is a public network basedon an Infrastructure as a Service (laaS) model.
 14. The method of claim12, wherein the available computing operations attributed to the one ormore generated tokens are pre-defined attributes of a parent object, theoperations agreed to in the SLA between a cloud computing tenant and acloud computing service provider.
 15. The method of claim 12, whereinthe one or more generated tokens are stored in an inactive and signedstate until they are required to validate a requested operation.